Yesterday the EU Commission and the US government announced that, having burst past the deadline of Sunday set by Europe’s Data Protection Authorities (collectively called the Art 29 Working Party because that’s how the EU is), they had secured an 11th hour deal on transfers of personal data across the Atlantic.

Safe Harbour (and Safe Harbor) was no more, they trumpeted, replaced by something that is spelled the same in English for both parties- The Privacy Shield.

How can I say there isn’t a deal? It has its own logo!

These are some of my initial thoughts on the announcement, and why there is less to it than the two negotiating sides would hope you might think.

Firstly, and contrary to what the Commission and the US greatly desired to assert, this is not a deal done to replace Safe Harbour. It is not a deal at all. The EU Commission, as the clock ran out before the Art 29 meeting of tomorrow, simply agreed to take the US’ last negotiating position to the rest of the other players in the EU decision-making machinery.

Here, buried three quarters down the Commission press release is the description of what is actually agreed the EU will do.

The College has today mandated Vice-President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States.

So the EU will spend ‘weeks’ drafting a text, and then they’ll try to bring the Art 29 Working Party on board with that text and then finally they’ll have to finalise it with all the Member States.

What we actually have here is a desperate PR effort to buy more time before the EU Commission and the US have to face the consequences of the legal incompatibility between the EU’s Charter of Fundamental Rights and the US’ commitment to mass surveillance.

And that’s it. That’s all the Privacy Shield is- a noisy trumpet blast aimed at just one audience, the Art 29 Working Party. It’s intended to persuade them to give the Commission more time (after, let us not forget, in excess of three years of fruitless negotiations with the US) before they start to actually enforce the law.

It’s pretty transparent- but it was worth the throw of the dice for the two negotiating partners. Without something to say at the end of Tuesday, some data flows between the US and the EU were going to be suspended by the close of business today.

Whether it will have its intended outcome (‘lets just keep going without a legal basis for data flows, eh?’) will depend on whether the Art 29 group are willing to spool the process out even further.

If not, the Privacy Shield could be the shortest-lived ‘deal’ in history, falling immediately into disuse if – after today’s meeting- one or more of the EU’s institutionally independent Data Protection Authorities finally decides that their job is to uphold the actual law, rather than to wait around for a new one to appear some day in the ever-receding future.

2 Comments

This is one example of a data security issue, which ought to flag up how cloud data generally is managed, and what the risks are. I strongly suspect that outside of professional records managers there is little understanding of where and how data is stored and managed. That should worry everyone as the cloud is blindly trusted.